Snort mailing list archives
Re: detection of smurf attack
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Tue, 1 Dec 2009 08:26:17 -0500
On Tue, Dec 1, 2009 at 3:57 AM, sofia insat <sofia.insat () yahoo fr> wrote:
I want to alert this attack when I detect the first 20 ICMP packets per second how can I do it? --- En date de : Mar 1.12.09, Rodrigo Montoro(Sp0oKeR) <spooker () gmail com> a écrit : De: Rodrigo Montoro(Sp0oKeR) <spooker () gmail com> Objet: Re: [Snort-sigs] detection of smurf attack À: "sofia insat" <sofia.insat () yahoo fr> Cc: snort-sigs () lists sourceforge net Date: Mardi 1 Décembre 2009, 1h39 "Since potentially many events will be generated, a detection filter would normally be used in conjunction with an event filter to reduce the number of logged events." Read README.filter at doc directory in tarball . BTW your rule will trigger any icmp packet (ipv4/ipv6) . Read README.ipv6 too =) Regards, On Mon, Nov 30, 2009 at 9:38 PM, sofia insat <sofia.insat () yahoo fr> wrote:Hi, I have to detect smurf attaque with ICMPv6 paquet I have used detection_filter and threshold like this: lert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------"; detection_filter: track by_src, count 30, seconds 1; sid:1000009;) alert icmp any any -> any any (msg:"---------- DOS IPV6: SMURF -----------"; threshold: type limit, track by_src, count 30, seconds 1; sid:10000010;) but in alert file I obtain all the alerts The script of smurf attack that I have used generates about17000 echo request paquets per second and I want to have only one alert Thanks ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
It looks like you are getting homework assignments to complete. This list is not here to answer homework questions. All the answers you seek are in the Snort manual and the README files that accompany the distribution. You need to do a little work, read the documentation and find your own answers. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- detection of smurf attack sofia insat (Nov 30)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Joel Esler (Dec 01)
- Re: detection of smurf attack Nigel Houghton (Dec 01)
- Message not available
- Re: Re : detection of smurf attack Nigel Houghton (Dec 01)
- Re: detection of smurf attack sofia insat (Dec 01)
- Re: detection of smurf attack Rodrigo Montoro(Sp0oKeR) (Nov 30)